s3-bucket-policy-grantee-check - Amazon Config
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

s3-bucket-policy-grantee-check

Checks that the access granted by the Amazon S3 bucket is restricted by any of the Amazon principals, federated users, service principals, IP addresses, or VPCs that you provide. The rule is COMPLIANT if a bucket policy is not present.

For example, if the input parameter to the rule is the list of two principals: 111122223333 and 444455556666 and the bucket policy specifies that only 111122223333 can access the bucket, then the rule is COMPLIANT. With the same input parameters: If the bucket policy specifies that 111122223333 and 444455556666 can access the bucket, it is also COMPLIANT.

However, if the bucket policy specifies that 999900009999 can access the bucket, the rule is NON_COMPLIANT.

Note

If a bucket policy contains more than one statement, each statement in the bucket policy is evaluated against this rule.

Identifier: S3_BUCKET_POLICY_GRANTEE_CHECK

Resource Types: AWS::S3::Bucket

Trigger type: Configuration changes

Amazon Web Services Region: All supported Amazon regions except Asia Pacific (Hyderabad), Asia Pacific (Malaysia), Canada West (Calgary), Europe (Spain) Region

Parameters:

awsPrincipals (Optional)
Type: CSV

Comma-separated list of principals such as IAM User ARNs, IAM Role ARNs, and Amazon accounts. You must provide the full ARN or use partial matching. For example, "arn:aws:iam::AccountID:role/role_name" or "arn:aws:iam::AccountID:role/*". If the provided value is not an exact match with the principal ARN specified in the bucket policy, the rule is NON_COMPLIANT.

servicePrincipals (Optional)
Type: CSV

Comma-separated list of service principals, for example 'cloudtrail.amazonaws.com, lambda.amazonaws.com'.

federatedUsers (Optional)
Type: CSV

Comma-separated list of identity providers for web identity federation such as Amazon Cognito and SAML identity providers. For example 'cognito-identity.amazonaws.com, arn:aws:iam::111122223333:saml-provider/my-provider'.

ipAddresses (Optional)
Type: CSV

Comma-separated list of CIDR formatted IP addresses, for example '10.0.0.1, 192.168.1.0/24, 2001:db8::/32'.

vpcIds (Optional)
Type: CSV

Comma-separated list of Amazon Virtual Private Clouds (Amazon VPC) IDs, for example 'vpc-1234abc0, vpc-ab1234c0'.

Amazon CloudFormation template

To create Amazon Config managed rules with Amazon CloudFormation templates, see Creating Amazon Config Managed Rules With Amazon CloudFormation Templates.